We have Metro ethernet that is managed, and changes have to be done by the ISP. We have 10 sites where we need to expand the IP address space for an upgrade as we don't have enough addresses (only 15 per site) We are adding some network gear and need 5 more per site.
Going to each site to change this with the ISP and dealing with any issues is a PITA. I suggested we open up 15 more for growth, but my manager insists that having unused addresses like that are a security risk.
These are all remote and unmanned sites we are expanding that have crap for physical security, such as cheap locks, no cameras, and no security alarm. My rebuttal is the headache of not having room to grow is more headache than security risk. If they are really concerned with security, they should worry about the physical security issues because if someone gets physical access to our network gear, it's a done deal.
Who is right, and who is wrong? Is his thinking that having extra unused addresses already set up for each site is a valid security concern? I know it's theoretically valid, but is it reasonably valid?